fbpx

Representative offices: 

Request callback
btn

The Rise of Botnet and DDoS Attacks

Articles and reviews

Distributed Denial of Service (DDoS) attacks have become an everyday or, some might argue, an hourly problem. Using a variety of techniques, a wide range of threat actors from lone hackers, criminal gangs and hacktivists, to nation-states have and are using DDoS attacks.

These attacks are carried out in order to reduce the performance and disable the network communication of the systems. These targets can be small or large businesses, Internet service providers, manufacturers, retailers, healthcare providers, schools and universities, or other organizations. State institutions, law enforcement structures, defense sector organizations are a special target for criminals. Essentially, any organization with an Internet presence can become a DDoS target.

Now, here is the why. There are three main reasons why people create botnets: For financial gain by extortion—pay up or we keep attacking; to make a point—stop (or start) doing something or we continue; or, in the case of nation-state actors, as an espionage or cyber warfare tactic.

From this article, you will learn how botnets and DDoSattacks are created - how botnet attacks and DDoS attacks are created - the most common mechanism of attacks using a collection of remotely controlled, hacked services or devices.


What is a botnet?

The bots of a botnet can include computers, smartphones, virtualized machines, and/or a wide range of Internet of Things (IoT)devices such as IP cameras, smart TVs, routers, anything that has internet connectivity and can be compromised. In particular, IoT vulnerabilities and misconfigurations are extremely common in the consumer market making it very easy for hackers to create an IoT botnet. Moreover, botnets, particularly when they become part of an IoT botnet, can be enormous; a single botnet can be comprised of hundreds of thousands or even millions of hijacked devices.

Hijacking devices for a botnet involves finding devices that have security vulnerabilities to make it possible to be infected with “botware,” malware to be installed on the device. But the devicesinfected with botwarearen’t the only thing a botnet needs.

Many sources — including as of writing Wikipedia — appear to be confused about what constitutes a botnet. While the most obvious part of a botnet is the collection of devices it includes, the defining component is the existence of a Command and Control (C&C) system that controls what the network of bots does.

The botware on each compromised device communicates with the botnet C&C system and becomes part of a network of bots. Driven by commands from a “botmaster” or “botherder” — the person or group controlling the bots — some or all of the devices in the botnet do whatever they are asked to do.


Botnet Command and Control

The early communications between botnet command and control systems and botware on compromised devices were based on the client-server model using, for example, Internet Relay Chat (IRC). The botware connected to an IRC channel and waited for commands. Each bot can also respond on the same channel with status updates or remotely acquired data. Alternatives to IRC include the use of Telnet connections and HTTP requests for webpages or custom services. It’s worth noting that some botnets have used a hierarchical C&C system where layers of bots communicate in a client-server fashion with the bots in the layer above and relay commands to the layer below them.

The latest botnet command and control communications for botnets are based on peer-to-peer (P2P)connections. In this model, compromised devices discover each other by scanning IP address ranges to find specific port and protocol services and, when another botnet member is identified, sharing lists of known peers and relayed commands. This type of highly distributed mesh networking is obviously more complicated to create but also much harder to disrupt.


The Rise of the IoT Botnet

IoT devices include a huge range of commercial and consumer devices such as temperature measurement systems, smart TVs, IP cameras, smart door bells, security systems, network routers and switches, and even children’s toys. Despite a huge amount of commentary and warnings about IoT vulnerabilities and well-understood fixes to improve their security, basic defenses such as requiring effective passwords and not allowing default logins and user accounts are still ignored. Another source of IoT vulnerabilities comes from vendors not providing updates to address security problems and or the device owners failing to apply updates.


What Do Botnets Do?

Botnets are used for four main purposes and, generally, a botnet can be switched as a whole or in parts between any of these functions.

Spam and Phishing

One of the earliest uses of botnets was for generating spam, unsolicited commercial or fraudulent email. By using bots for this purpose, spammers avoid the problem of getting their bulk sending IP addresses blacklisted and even if some bots get blacklisted, there’ll always be more bots to use.

A more targeted use of botnet spam is for phishing for identity theft. By generating huge amounts of spam email messages inviting recipients to visit promotional websites, websites that appear to be banks or other financial institutions, enter competitions, etc., scammers try to harvest personal information such as bank account details, credit card data, and website logins.

Pay-per-Click Fraud

To increase website ad revenues — advertising networks such as Google pay-per-click on adverts the websites serve — botnets are used to fake user interaction. Because of the distributed nature of the sources of the clicks, it’s hard for the ad networks to identify click fraud.

Cryptomining

By running the algorithms that mine cryptocurrencies such as Bitcoin and Ether on tens of thousands of bots — an IoT botnet is the perfect platform. It thereby steals computer power from the device’s owner, and allows significant revenue without the usual costs of mining, mostly importantly, the cost of electricity.

DDoS Attacks as a Service

Distributed Denial of Service attacks are easily launched using botnets and, as with botnet generated spam, the distributed nature of the bots makes it difficult to filter out DDoS traffic. Botnets can execute any kind of DDoS attack and even launch multiple attack types simultaneously.

A relatively new hacker business is DDoS-as-a-Service. On the Dark Web and now, even on the regular web, you can buy DDoS attacks for as little as $5 per hour; the pricing depends on the required scale and duration of the attack.


A Very Brief History of Botnets

Arguably, the first true internet botnet was Bagle, first discovered in 2004. Bagle was a Windows worm that relayed spam sent from a botmaster. While the first version, called Bagle.A , was of limited success, the second version, Bagle.B infected something like 230,000 computers. On New Year’s Day 2010, the malware was responsible for roughly 14 percent of all spam. By April 2010, Bagle was sending approximately 5.7 billion spam messages per day. As with most malware, other hackers copied and improved the code with over 100 variants found in the wild by 2005.

Since then, arguably the first botnet to launch a DDoS attack was Akbot in 2007. The Akbot botnet was created by an 18-year-old in New Zealand. It used a C&C system based on IRC and at its peak involved 1.3 million computers.

Over time, botnet attacks have become commonplace and the biggest botnet known to date, the Russian BredoLab botnet,consisted of 30,000,000 devices..


The Future of Botnet and DDoS Attacks

Botnets are here to stay. Given the exponential growth of poorly secured IoT devices that can be co-opted into an IoT botnet as well as the growing population of vulnerable computers, botnet attacks have become endemic. As a cyber warfare tool, botnet and DDoS attacks have been observed on both sides of the Russian operation against Ukraine.

Whether you’re a government organization or a private company, you should be planning how you’re going to deal with a botnet and DDoS attack. Your first step is to realize that no online property or service is too big or too small to be attacked.

Second, plan for increased bandwidth ideally on an as needed basis. The ability to scale up your internet connection will make it harder for a botnet and DDoS attack to saturate your access and cut you off from the internet. The same elastic provisioning strategy applies to using cloud services rather relying than on-prem or single data center services.

Next, consider using or expanding your use of a content delivery network to increase your client-side delivery bandwidth. Using multiple CDNs also increases your resistance to DDoS attacks.

Finally, harden everything. Strategically deploying hardware and software DDoS mitigation services throughout your infrastructure is key to making botnet and DDoS attacks have minimal impact.

A10 Networks offers cyber security solutions that use advanced DDoS protection and mitigation strategies and protect against botnets and DDoS attacks. Options for the implementation of solutions can be very diverse: Proactive Deployment, Reactive Deployment, Reactive Deployment with Third-Party Flow Detector, Out-of-Band (TAP) Mode and others. A10 also provides full visibility into network traffic, making it harder for malware to infiltrate your networks or steal data without you knowing.

iIT Distribution is the official distributor of A10 Networks. We not only supply software and technical equipment, but also provide a full range of project support services. The initial examination and evaluation is carried out by highly qualified specialists, whose level is confirmed by the vendors' certificates.

Back

Mobile Marketing
+